Learning IINS (Part 7) – L2 Security


On a DHCP-enabled network, Attackers can connect their rouge DHCP server (or use hacking tools like gobbler) to perform further attack. When client broadcasts DHCP request, the DHCP response from spoofing DHCP server might assign the attacker’s IP address as client’s default gateway or DNS server. As a result, hacker can capture traffic that send from client.

The DHCP snooping feature on Cisco Catalyst switches can be used to combat a DHCP server spoofing attack. With this solution, Cisco Catalyst switch ports are configured in either the trusted or untrusted state. If a port is trusted, it is allowed to receive DHCP responses (OFFER, ACK, NAK). Converely, if a port is untrusted, it is not allowed to receive DHCP response, and if a DHCP response attemps to enter an untrusted port, the port’s then disabled.

By default, when we enable DHCP snooping feature, all ports are considered to be in untrusted state.

Configure DHCP snooping

Globally enable DHCP snooping:

Ip dhcp snooping

We can also enable DHCP snooping for specific VLANs:

Ip dhcp snooping vlan 7,10,30-40

After enable DHCP snooping, indicate the trust ports:

Interface gigaethernet 0/1
Ip dhcp snooping trust

Another type of DHCP attack is a DOS attack against DHCP server (by using hacking tools like gobbler).  Specifically, the attacker can repeatedly request IP address assignments from DHCP server with many different MAC addresses. That causes the DHCP pool be quickly full, and cannot assign IP address for clients’ legitimate requests. To mitigate such that DOS attack, DHCP snooping can be used to limit the number of DHCP messages per second:

Interface gigaethernet 0/2
Ip dhcp snooping limit rate 3


The DHCP snooping feature dynamically builds a DHCP binding table, which contains the MAC addresses mapped to IP addresses. Additionally, this feature supports static MAC address to IP address mapping. This DHCP binding table can be used by the Dynamic ARP Inspection (DAI) feature to help prevent Address Resolution Protocol (ARP) spoofing attacks. DAI works similarly to DHCP Snooping that using trusted and untrusted ports.

ARP replies are allowed into switch on trusted port.

On untrusted port, when an ARP reply comes, it is compared to the DHCP binding table. If violence occurs, the ARP reply is dropped and the switch port is disbled.

We should run DAI on all our switches. Cisco’s recommended trusted/untrusted port configuration is to have all ports connected to hosts run as untrusted port and all ports connected to switches as trust ports.

Configure Dynamic ARP Inspection

Globally enable DAI feature:

Ip arp inspection vlan 10

Configure the DAI trusted ports:

Interface gigaethernet 0/3
ip arp inspection trust

Verify configuration:

show ip arp inspection statistics

If host uses static IP assignment:

Arp access-list static-arp
permit ip host mac host aabb.ccdd.0011
Ip arp inspection filter static-arp vlan 101


IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings. This feature helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host. Any IP traffic coming into the interface with a source IP address other than that assigned (via DHCP or static configuration) will be filtered out on the untrusted Layer 2 ports.

The IP Source Guard feature is enabled in combination with the DHCP snooping feature on untrusted Layer 2 interfaces. It builds and maintains an IP source binding table that is learned by DHCP snooping or manually configured (static IP source bindings). An entry in the IP source binding table contains the IP address and the associated MAC and VLAN numbers. The IP Source Guard is supported on Layer 2 ports only, including access and trunk ports.

Keep in minds that IP source guard just like DAI but for IP source address (works without the attack using ARP for source address)

Here is the comparation between DAI and IP Source Guard:

Configuration example:

Interface  gigabitEthernet1/0/1
Ip verify source port-security


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s